Abusing the Internet of Things

(Rick Simeone) #1

approach and analysis are unique because they manipulated the temperature around the sen-
sors to reverse engineer the protocol. This type of mindset is critical as it illustrates creativity
on the part of the security researchers. This type of approach can also be employed by mali-
cious entities to reverse engineer communication, so it is important that the design of com-
munication protocols and supporting architecture is secure.
Based on a collection of marketing materials, the researchers learned that TPMS commu-
nication occurs in the ultra high frequency (UHF) range-—specifically, the 315 MHz and 433
MHZ bands—and uses amplitude-shift keying (ASK) or frequency-shift keying (FSK) modula-
tion. Modulation is basically the way we facilitate communication over any given medium,
such as through the air or over a wire. Take for instance our ability to transmit our vocal com-
munications through a medium such as radio. The process of converting voice to a radio sig-
nal so that it can be sent wirelessly is called modulation. A carrier wave (often just called a car-
rier) is a waveform that is modulated to transmit communications wirelessly. In the case of
ASK, the amplitude of the wave is changed to a fixed value when a binary symbol of 1 is com-
municated; the carrier signal is turned off to transmit a binary value of 0. In the case of FSK,
the frequency of the carrier signal is changed to a fixed value to represent a 1 or a 0. There are
various tutorials available online that discuss the topic of modulation in more detail.
The researchers did not disclose the manufacturers of two different types of the sensors
they focused on, instead referring to them as Pressure Sensor A (TPS-A) and Pressure Sensor
B (TPS-B). They used the ATEQ VT55 TPMS trigger tool (Figure 6-1) to trigger the sensors so
that they would transmit data.


FIGURE 6-1. The ATEQ VT55 TPMS trigger tool


The TVRX daughterboard (Figure 6-2) attached to a Universal Software Radio Peripheral
(USRP) allowed the research team to capture TPMS communications. The advantage of
software-defined radios is that, wherever possible, they strive to implement features in soft-
ware rather than hardware, making it less expensive for tinkerers to analyze radio
communications.


CHAPTER 6: CONNECTED CAR SECURITY ANALYSIS—FROM GAS TO FULLY

(^160) ELECTRIC

Free download pdf